North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

A North Korea-linked cyber-espionage outfit has been detected exploiting job-themed phishing lures to target potential victims in energy and aerospace sectors and infect them with a previously unreported backdoor termed MISTPEN.

The activity cluster is being followed by Google-owned Mandiant under the alias UNC2970, which it claimed coincides with a threat group known as TEMP.Hermit, which is also generically named Lazarus Group or Diamond Sleet (previously Zinc).

The threat actor has a history of targeting government, military, telecommunications, and financial organizations globally since at least 2013 to acquire strategic information that furthers North Korean goals. It's linked with the Reconnaissance General Bureau (RGB).

The threat intelligence agency claimed it has detected UNC2970 singling target several companies situated in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.

"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it stated in a new report, adding it replicates and edits authentic job advertisements according to their target profiles.

"Moreover, the specified job descriptions target senior-/manager-level individuals. This shows the threat actor seeks to acquire access to sensitive and secret information that is generally reserved to higher-level workers."

The attack chains, also known as Operation Dream Job, comprise the use of spear-phishing lures to communicate with victims via email and WhatsApp in an effort to gain trust, before passing over a malicious ZIP archive file that's dressed up as a job description.

In an unusual twist, the PDF file of the description can only be accessed using a trojanized version of a genuine PDF reader program named Sumatra PDF embedded inside the bundle to deploy MISTPEN by way of a launcher referred to as BURNBOOK.

It's worth emphasizing that this does not suggest a supply chain assault nor is there a weakness in the program. Rather the assault has been determined to exploit an earlier Sumatra PDF version that has been recycled to initiate the infection chain.

This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

It's suspected that the threat actors likely urge the victims to open the PDF file using the attached weaponized PDF reader tool to initiate the execution of a malicious DLL file, a C/C++ launcher named BURNBOOK.

"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers added. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."

TEARPAGE, a loader contained inside BURNBOOK, is responsible for decrypting and running MISTPEN. A lightweight implant developed in C, MISTPEN is equipped to download and execute Portable Executable (PE) files acquired from a command-and-control (C2) server. It connects via HTTP with the following Microsoft Graph URLs.

Mandiant also stated it identified earlier BURNBOOK and MISTPEN evidence, indicating that they are being repeatedly updated to offer additional capabilities and enable them to fly under the radar. The early MISTPEN samples have also been identified utilizing hacked WordPress websites as C2 domains.

"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers stated.